CVE-2023-1387 - OpenCVE

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Grafana	Grafana
Redhat	Ceph Storage

Configuration 1 [-]

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::

Package	CPE	Advisory	Released Date
Red Hat Ceph Storage 5.3
rhceph/rhceph-5-dashboard-rhel8:5-83	cpe:/a:redhat:ceph_storage:5.3::el8	RHSA-2024:0746	2024-02-08T00:00:00Z
Red Hat Ceph Storage 6.1
rhceph/rhceph-6-dashboard-rhel9:6-82	cpe:/a:redhat:ceph_storage:6.1::el9	RHSA-2023:7741	2023-12-12T00:00:00Z

References

Link	Providers
https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j
https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/
https://grafana.com/security/security-advisories/cve-2023-1387/
https://nvd.nist.gov/vuln/detail/CVE-2023-1387
https://security.netapp.com/advisory/ntap-20230609-0003/
https://www.cve.org/CVERecord?id=CVE-2023-1387

History

No history.

MITRE

Status: PUBLISHED

Assigner: GRAFANA

Published: 2023-04-26T13:47:16.914Z

Updated: 2024-08-02T05:49:11.313Z

Reserved: 2023-03-14T11:11:01.304Z

Link: CVE-2023-1387

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-04-26T14:15:09.430

Modified: 2023-06-09T08:15:09.287

Link: CVE-2023-1387

Redhat

Severity : Moderate

Publid Date: 2023-04-12T00:00:00Z

Links: CVE-2023-1387 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1387", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2023-03-14T11:11:01.304Z", "datePublished": "2023-04-26T13:47:16.914Z", "dateUpdated": "2024-08-02T05:49:11.313Z"}, "containers": {"cna": {"affected": [{"product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "9.2.17", "status": "affected", "version": "9.1.0", "versionType": "semver"}, {"lessThan": "9.3.13", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.5.0", "status": "affected", "version": "9.4.0", "versionType": "semver"}]}, {"product": "Grafana Enterprise", "vendor": "Grafana", "versions": [{"lessThan": "9.2.17", "status": "affected", "version": "9.1.0", "versionType": "semver"}, {"lessThan": "9.3.13", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.5.0", "status": "affected", "version": "9.4.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Grafana is an open-source platform for monitoring and observability. </p><p>Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. </p><p>By enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.</p>"}], "value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"}], "impacts": [{"capecId": "CAPEC-116", "descriptions": [{"lang": "en", "value": "CAPEC-116"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2023-04-26T13:47:16.914Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"}, {"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"}, {"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.313Z"}, "title": "CVE Program Container", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-1387/", "tags": ["x_transferred"]}, {"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230609-0003/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5664FC02-E4AA-41EC-8EAA-300AD2272CC2", "versionEndExcluding": "9.2.17", "versionStartIncluding": "9.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A544263-545D-4D86-B29F-F7FC12E9A34F", "versionEndExcluding": "9.3.13", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "99EBCA47-A3CD-4C20-B151-300D43426EB2", "versionEndExcluding": "9.4.9", "versionStartIncluding": "9.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"}], "id": "CVE-2023-1387", "lastModified": "2023-06-09T08:15:09.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2023-04-26T14:15:09.430", "references": [{"source": "security@grafana.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"}, {"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2023-1387/"}, {"source": "security@grafana.com", "url": "https://security.netapp.com/advisory/ntap-20230609-0003/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"acknowledgement": "Upstream acknowledges Grafana Security Team as the original reporter.", "affected_release": [{"advisory": "RHSA-2024:0746", "cpe": "cpe:/a:redhat:ceph_storage:5.3::el8", "package": "rhceph/rhceph-5-dashboard-rhel8:5-83", "product_name": "Red Hat Ceph Storage 5.3", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2023:7741", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el9", "package": "rhceph/rhceph-6-dashboard-rhel9:6-82", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2023-12-12T00:00:00Z"}], "bugzilla": {"description": "grafana: JWT token leak to data source", "id": "2186322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Grafana is an open-source platform for monitoring and observability. \nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.", "A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the \"url_login\" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system."], "name": "CVE-2023-1387", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2023-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-1387\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1387\nhttps://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/\nhttps://grafana.com/security/security-advisories/cve-2023-1387/"], "threat_severity": "Moderate", "upstream_fix": "grafana 9.5.0"}